Description
Internet Optimizer is an error page hijacker.
Variants
InternetOptimizer/Iopti: unknown-server errors, page-missing errors, server errors and even password-required errors are redirected to Internet Optimizer’s controlling server at
www.internet-optimizer.com.
InternetOptimizer/Nem: as Iopti, but searches are hijacked to yoogee.com (a search site run by the makers of InternetOptimizer).
InternetOptimizer/Wsem: a larger version of the software, whose purpose is unclear.
InternetOptimizer/Active: a reduced version that doesn’t do error page hijacking, used purely for the updater function.
InternetOptimizer/Crmrest: an ActiveX downloader control for InternetOptimizer. This poses as a comedy or porn video from the site movies-etc.com, and when allowed to install may forward a mail to all contacts in your Outlook address book, promoting movies-etc in your name.
Also known as
DyFuCA.
Distribution
May be installed by MoneyTree/DyFuCA, Roimoi, or the Crmrest downloader variant.
What it does
Advertising
Yes. The ‘DyFuCA Active Alert’ component can open pop-up ‘alerts’ when directed by its controlling server.
Privacy violation
Suspected. The EULA at Internet Optimizer’s web site states the software may send all your browsing information back to its controllers. At the time of writing, however, this has not been seen to happen with the current version of the software.
Security issues
Yes. Can download and execute arbitrary unsigned code from its controlling server, as an update feature.
Stability problems
Unknown; some unclear user reports of it causing crashes.
Removal
Check the Control Panel’s Add/Remove Programs feature for ‘Active Alert’ and ‘Internet Optimizer’. In older versions these may work if used together. Newer versions present only ‘Internet Optimizer’, which on its own has no effect.
After removal, ensure that infection vector - MoneyTree/DyFuCA, Roimoi or CrmRest is no longer loaded.
Manual removal
For the Crmrest installer variant, open the Downloaded Program Files folder (inside the Windows folder) and remove the ‘Media Manager’ entry.
For other variants, open the Windows folder. You should be able to see a file ‘ioptiXXX.dll’ (Iopti variant), ‘nemXXX.dll’ (Nem variant) or ‘wsemXXX.dll’ (Wsem variant). The XXX differs for different versions; common versions are ‘iopti130.dll’, ‘nem207.dll’ and ‘wsem210.dll’.
Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entries ‘DyFuCA’ and ‘DyFuCA Active Alerts’.
Now open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands (for the Iopti variant):
cd "%WinDir%\System"
regsvr32 /u ..\iopti130.dll
Or, for the Nem variant:
cd "%WinDir%\System"
regsvr32 /u ..\nem207.dll
Or, for the Wsem variant:
cd "%WinDir%\System"
regsvr32 /u ..\wsem210.dll
Restart the computer and you should be able to delete the DLL from the Windows folder, and the ‘DyFuCA’, ‘Internet Optimizer’ or ‘STWSI’ folder you may have inside Program Files. You can also delete the subkey ‘FCI’ in HKEY_LOCAL_MACHINE\Software and HKEY_CURRENT_USER\Software to clean up if you like.
